Setanta1810
asked on
cant stop ads234 redirecting my browser
can someone look at this log file from hijackthis! and tell me what to remove please, have ran spywarenuker and xoft spyware remover, thanks
Logfile of HijackThis v1.98.1
Scan saved at 16:51:23, on 07/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\Apps\ActivBoard\nhksrv. exe
C:\WINDOWS\System32\CTsvcC DA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv .exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\MsPMSP Sv.exe
C:\Logitech\iTouch\iTouch. exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Apps\ActivBoard\MMKeybd .exe
C:\PROGRA~1\NORTON~1\navap w32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Creative\SBAudigy2\S urround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\D VDAudio\CT DVDDet.EXE
C:\WINDOWS\System32\CTHELP ER.EXE
C:\Program Files\Common Files\Nokia\Services\Servi ceLayer.ex e
C:\Program Files\Common Files\Nokia\NCLTools\NclTr ay.exe
C:\docume~1\damien\locals~ 1\temp\pke Do.exe
C:\docume~1\damien\locals~ 1\temp\4qH g.exe
C:\docume~1\damien\locals~ 1\temp\0dN 5m.exe
C:\documents and settings\damien\local settings\temp\Ss2.exe
C:\documents and settings\damien\local settings\temp\p2TUfpF.exe
C:\WINDOWS\System32\dpcdyc tl.exe
C:\documents and settings\damien\local settings\temp\HOrbUQvu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\Creative\MediaSource \RemoteCon trol\RcMan .exe
C:\WINDOWS\System32\dpniie xx.exe
C:\Program Files\FinePixViewer\QuickD CF.exe
C:\Apps\ActivBoard\TrayMon .exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\OlabI. exe
C:\WINDOWS\System32\Ikr2.e xe
C:\WINDOWS\sllights.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis!\HijackTh is.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://home.iol.ie
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = file://C:\WINDOWS\System32 \SearchBar .htm
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,CustomizeS earch =
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\In ternet Explorer\Toolbar,LinksFold erName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3 DBE0391097 2} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\Damien\Local Settings\Temp\lx7Lv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Logitech\iTouch\iTouch. exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd .exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navap w32.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EX E /AUTORUN
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\S urround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\D VDAudio\CT DVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\Servi ceLayer.ex e
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTr ay.exe
O4 - HKLM\..\Run: [pkeDo] C:\docume~1\damien\locals~ 1\temp\pke Do.exe
O4 - HKLM\..\Run: [4qHg] C:\docume~1\damien\locals~ 1\temp\4qH g.exe
O4 - HKLM\..\Run: [0dN5m] C:\docume~1\damien\locals~ 1\temp\0dN 5m.exe
O4 - HKLM\..\Run: [24BE6BN397HQ8B] C:\WINDOWS\System32\Mdm7.e xe
O4 - HKLM\..\Run: [Ss2] C:\documents and settings\damien\local settings\temp\Ss2.exe
O4 - HKLM\..\Run: [Wpnlmk] C:\docume~1\damien\locals~ 1\temp\Wpn lmk.exe
O4 - HKLM\..\Run: [p2TUfpF] C:\documents and settings\damien\local settings\temp\p2TUfpF.exe
O4 - HKLM\..\Run: [r72U35j] dpcdyctl.exe
O4 - HKLM\..\Run: [o1ou2] C:\docume~1\damien\locals~ 1\temp\o1o u2.exe
O4 - HKLM\..\Run: [HOrbUQvu] C:\documents and settings\damien\local settings\temp\HOrbUQvu.exe
O4 - HKLM\..\Run: [mdrvm] C:\WINDOWS\System32\mdrvm. exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource \RemoteCon trol\RcMan .exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNU M~1\update .exe /startup
O4 - HKCU\..\Run: [awt8RRHmP] dpniiexx.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B 4822CAE4BB 1} - C:\Apps\IECustom\script.ht m
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\System32\Shdocv w.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4 136691194B F} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {68BCE50A-DC9B-4519-A118-6 FDA19DB450 D} (Info Class) - http://www.wow-europe.com/signup/en/wowbeta/Si.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-5 20839E94DA D} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{1 C46D935-5A 04-45EF-99 5A-5F31573 531EE}: NameServer = 194.145.128.1 194.125.2.206
Logfile of HijackThis v1.98.1
Scan saved at 16:51:23, on 07/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\Apps\ActivBoard\nhksrv.
C:\WINDOWS\System32\CTsvcC
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv
C:\WINDOWS\System32\svchos
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\System32\MsPMSP
C:\Logitech\iTouch\iTouch.
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Apps\ActivBoard\MMKeybd
C:\PROGRA~1\NORTON~1\navap
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Creative\SBAudigy2\S
C:\Program Files\Creative\SBAudigy2\D
C:\WINDOWS\System32\CTHELP
C:\Program Files\Common Files\Nokia\Services\Servi
C:\Program Files\Common Files\Nokia\NCLTools\NclTr
C:\docume~1\damien\locals~
C:\docume~1\damien\locals~
C:\docume~1\damien\locals~
C:\documents and settings\damien\local settings\temp\Ss2.exe
C:\documents and settings\damien\local settings\temp\p2TUfpF.exe
C:\WINDOWS\System32\dpcdyc
C:\documents and settings\damien\local settings\temp\HOrbUQvu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon
C:\Program Files\Creative\MediaSource
C:\WINDOWS\System32\dpniie
C:\Program Files\FinePixViewer\QuickD
C:\Apps\ActivBoard\TrayMon
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\System32\OlabI.
C:\WINDOWS\System32\Ikr2.e
C:\WINDOWS\sllights.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis!\HijackTh
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-7
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Logitech\iTouch\iTouch.
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navap
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EX
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\S
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\D
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\Servi
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTr
O4 - HKLM\..\Run: [pkeDo] C:\docume~1\damien\locals~
O4 - HKLM\..\Run: [4qHg] C:\docume~1\damien\locals~
O4 - HKLM\..\Run: [0dN5m] C:\docume~1\damien\locals~
O4 - HKLM\..\Run: [24BE6BN397HQ8B] C:\WINDOWS\System32\Mdm7.e
O4 - HKLM\..\Run: [Ss2] C:\documents and settings\damien\local settings\temp\Ss2.exe
O4 - HKLM\..\Run: [Wpnlmk] C:\docume~1\damien\locals~
O4 - HKLM\..\Run: [p2TUfpF] C:\documents and settings\damien\local settings\temp\p2TUfpF.exe
O4 - HKLM\..\Run: [r72U35j] dpcdyctl.exe
O4 - HKLM\..\Run: [o1ou2] C:\docume~1\damien\locals~
O4 - HKLM\..\Run: [HOrbUQvu] C:\documents and settings\damien\local settings\temp\HOrbUQvu.exe
O4 - HKLM\..\Run: [mdrvm] C:\WINDOWS\System32\mdrvm.
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNU
O4 - HKCU\..\Run: [awt8RRHmP] dpniiexx.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4
O16 - DPF: {68BCE50A-DC9B-4519-A118-6
O16 - DPF: {C36661D7-3590-45B1-80B5-5
O17 - HKLM\System\CCS\Services\T
ASKER
thanks, removed them but when i type in a url it still goes through ads234.com first, any idea how to stop that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
guess that fixed it?
I used some software called spywareblocker which sits in the background and has since stopped my machine becoming infected. Also switched on the XP Connection firewall which seems to help.
Same problem here, don't know what else to do (already tried all spyware and adware removal tools under safe mode). Thank you for helping.
Logfile of HijackThis v1.98.2
Scan saved at 11:25:05 AM, on 8/26/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\s3hotk ey.exe
C:\WINDOWS\System32\00THot key.exe
C:\WINDOWS\System32\TFNF5. exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\Touc hED.Exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TPWRTR AY.EXE
C:\WINDOWS\System32\WLANST A.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\WINDOWS\System32\spool\ drivers\w3 2x86\3\hpz tsb05.exe
C:\WINDOWS\System32\hphmon 04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\COMMON~1\XCPCS ync\TRANSL ~1\ErPhn2\ ErTray.exe
C:\WINDOWS\System32\BtUsrB dg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\Iomega\System3 2\AppServi ces.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\Rita J. Anes\Application Data\Mini\minicontrolpanel -w32-x86-4 0.exe
C:\WINDOWS\System32\narcer t6.exe
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
C:\PROGRA~1\SONYER~1\COMMU N~1\MOBILE ~1\EPMWOR~ 1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rita J. Anes\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis. exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page_bak = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = *.r5.attbi.com
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976- EA101271BC 25} - (no file)
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113- BD0D2DA3C2 B8} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37- C2D500688D A2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C 2D500688DA 2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E 903858CF28 4} - (no file)
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C 02B6F1ABD7 B} - C:\DOCUME~1\ALLUSE~1\APPLI C~1\Pribi\ Pribi.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-2 98DDF1699E 1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt .dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7 20FAF53D84 1} - C:\Documents and Settings\Rita J. Anes\Local Settings\Temp\NC8SE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A 37C9A5676A 7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt .dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THot key.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\Touc hED.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\ drivers\w3 2x86\3\hpz tsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon 04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hph upd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCS ync\TRANSL ~1\ErPhn2\ ErTray.exe
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Mini] C:\Documents and Settings\Rita J. Anes\Application Data\Mini\minicontrolpanel -w32-x86-4 0.exe
O4 - HKCU\..\Run: [Zo5sRPH9U] narcert6.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo n.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\r esources\W ebMenuImg. htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmse arch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmca che.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres .dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres .dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmtr ans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\System32\Shdocv w.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\PROGRA~1\Yahoo!\MESSEN~ 1\YPager.e xe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\PROGRA~1\Yahoo!\MESSEN~ 1\YPager.e xe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-0 0A024541EE 3} (WficaCtl Object) - http://www.genisar.com/files/genplug60910.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0 050DA18DE7 1} (RdxIE Class) - http://207.188.7.150/21a3237caf5c6f0f1916/netzip/RdxIE6.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7 C6C9569B8C 7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{9 7FA0068-03 3F-4B4E-91 51-BF54DB2 4F6C7}: NameServer = 4.2.2.2,4.2.2.3
Logfile of HijackThis v1.98.2
Scan saved at 11:25:05 AM, on 8/26/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\s3hotk
C:\WINDOWS\System32\00THot
C:\WINDOWS\System32\TFNF5.
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TouchED\Touc
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\TPWRTR
C:\WINDOWS\System32\WLANST
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\reals
C:\WINDOWS\System32\spool\
C:\WINDOWS\System32\hphmon
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\COMMON~1\XCPCS
C:\WINDOWS\System32\BtUsrB
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\PROGRA~1\Iomega\System3
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\Rita J. Anes\Application Data\Mini\minicontrolpanel
C:\WINDOWS\System32\narcer
C:\WINDOWS\System32\ctfmon
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
C:\PROGRA~1\SONYER~1\COMMU
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rita J. Anes\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R1 - HKCU\Software\Microsoft\Wi
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-2
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-7
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THot
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\Touc
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hph
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\COMMON~1\XCPCS
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Mini] C:\Documents and Settings\Rita J. Anes\Application Data\Mini\minicontrolpanel
O4 - HKCU\..\Run: [Zo5sRPH9U] narcert6.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMo
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\r
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-0
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
O17 - HKLM\System\CCS\Services\T
First boot into safe mode and Login as Administrator
there are free versions of each. Before scanning, use each programs’ update option to get the latest signature files, then scan, using SpyBot first.
a² Free is also a good malware cleaner and can be downloaded from: http://www.emsisoft.com/en/software/download/
spybot search and destroy http://www.safer-networking.org/en/download/index.html
AdAware http://lavasoft.element5.com/support/download/
Clean out your Temp folders. Here's an excellent freeware tool that can help called CrapCleaner: http://www.ccleaner.com/
Then update your virus scanner and scan your system again or use one of these free on-line scanners (note some spyware has been known to disable PC based AV scanners):
http://housecall.trendmicro.com or http://www.pandasoftware.com/activescan/com/activescan_principal.htm
If you are not using a software based firewall, get one. ZoneAlarm from www.zonelabs.com is a favorite - and again, there is a free version.
Some prefer the free Sygate Personal Firewall from http://www.uant.net/firewall/sygateguide.html (like myself )
(borrowed from Bill_bright)
Reboot back in Normal Mode and check if problems are gone. If YES then Great, otherwise follow the help of others and I will do some more research for you.
there are free versions of each. Before scanning, use each programs’ update option to get the latest signature files, then scan, using SpyBot first.
a² Free is also a good malware cleaner and can be downloaded from: http://www.emsisoft.com/en/software/download/
spybot search and destroy http://www.safer-networking.org/en/download/index.html
AdAware http://lavasoft.element5.com/support/download/
Clean out your Temp folders. Here's an excellent freeware tool that can help called CrapCleaner: http://www.ccleaner.com/
Then update your virus scanner and scan your system again or use one of these free on-line scanners (note some spyware has been known to disable PC based AV scanners):
http://housecall.trendmicro.com or http://www.pandasoftware.com/activescan/com/activescan_principal.htm
If you are not using a software based firewall, get one. ZoneAlarm from www.zonelabs.com is a favorite - and again, there is a free version.
Some prefer the free Sygate Personal Firewall from http://www.uant.net/firewall/sygateguide.html (like myself )
(borrowed from Bill_bright)
Reboot back in Normal Mode and check if problems are gone. If YES then Great, otherwise follow the help of others and I will do some more research for you.
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O4 - HKLM\..\Run: [pkeDo] C:\docume~1\damien\locals~
O4 - HKLM\..\Run: [4qHg] C:\docume~1\damien\locals~
O4 - HKLM\..\Run: [0dN5m] C:\docume~1\damien\locals~
O4 - HKLM\..\Run: [Ss2] C:\documents and settings\damien\local settings\temp\Ss2.exe
O4 - HKLM\..\Run: [Wpnlmk] C:\docume~1\damien\locals~
O4 - HKLM\..\Run: [p2TUfpF] C:\documents and settings\damien\local settings\temp\p2TUfpF.exe
O4 - HKLM\..\Run: [o1ou2] C:\docume~1\damien\locals~
O4 - HKLM\..\Run: [HOrbUQvu] C:\documents and settings\damien\local settings\temp\HOrbUQvu.exe
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-7